Archive for April, 2008

Yesterday afternoon I was in the offices of one of my large corporate clients – a financial services company.¬† I needed to go online to gather some information and enlisted the help of one of their IT staff members to get me access.

The first thing I did was go to check my email.¬† I use Google’s Gmail client when I check mail on the web.¬† I like its user interface.¬† No luck!¬† I entered www.gmail.com and received a giant red warning “You are trying to access a site that is FORBIDDEN!”¬† Interesting.¬† My helpful IT guy said “oh, I forgot to tell you, we monitor every single thing that you do when you’re on the web.¬† We control what you can see, what you can’t see.¬† We read all your email.¬† We’re watching.”

Now, if I’d picked up the phone to make a call I’d have some measure of assurance that no one was listening.¬† Not so in the land of bits. I might just as well have been in China searching for Falun Gong.¬† Little Brother is alive and well.¬† You don’t need to be a government to impose surveillance and thought control.

Now this particular client isn’t a mom and pop operation.¬† The assets they handle exceed the gross domestic product of most nations. So maybe they think of themselves as a government, even a totalitarian one. But even so, I found the notion that they were watching my every move, controlling the websites I could access and hence the information I could receive, reading my email, a bit creepy.

It was one more reminder that technology had moved faster than the laws intended to manage its impact on our lives.¬† When telephones arrived we put in place legal protections for the privacy of our communications using them.¬† At some point, we will need to do the same for the bits that carry the substance of our lives.

I used to think that conservatives would oppose ubiquitous government surveillance. I figured it was the left that would be watching to make sure I was not smoking in the wrong place or saying something bad about the wrong people. That image of the politics of surveillance is outdated.

Today it is the right that wants the government to have carte blanche to listen in on our conversations. The rationale, of course, is that the government will keep us safe from terrorists if only we let it know everything we are saying. We should like being watched, to paraphrase Blown to Bits, because it means we are being watched over.

The Protect America Act, a six-month extension of the Foreign Intelligence Surveillance Act or FISA, expired recently. Here is one of the recent conservative rants on this subject, by Cliff May: ‚ÄúThe law that gave America‚Äôs intelligence agencies the authority to freely monitor the communications of foreign terrorists abroad expired in February. A bill to restore that authority passed the Senate by a solidly bipartisan 68-to-29 majority. A bipartisan majority in the House would almost certainly vote in favor of the same measure but Speaker Nancy Pelosi (D-Calif.) ‚Äîfor more than two months‚Äîhas used the power of her office to stop members from voting.‚Äù Another of the same ilk, by Robert Novak, describes the law as making it possible for the government to ‚Äúcontinue eavesdropping on suspected foreign terrorists.‚ÄùWhat such capsule summaries fail to mention is that the laws make it possible to eavesdrop on foreign terrorists by legalizing eavesdropping on anyone at all, including Americans, talking about anything at all, as long as the bits cross the US border. As EPIC‚Äôs summary explains, ‚Äú[The Protect America Act] permits the warrantless surveillance of Americans when the surveillance is ‚Äòdirected at‚Äô someone believed to be outside the United States‚Äîwhether that person outside the United States is an American or not.‚Äù That means your emails and VoIP conversations with your family traveling abroad. And don‚Äôt think they don‚Äôt have enough agents to be listening in on you talking to your spouse‚Äîautomated voice recognition is good enough now to recognize when you are mentioning bombs or Islam, however humorously.The price of liberty is eternal vigilance, but it does not require ceding to the government the authority to listen to Americans talking to Americans when they have done nothing to arouse suspicion. The conservatives should be ashamed of themselves for advocating that we surrender our Fourth Amendment rights by implying that these proposals don‚Äôt apply to us. They do.The limits of government surveillance should figure into the presidential campaign. Would the Dems take a stand on privacy and liberty? I‚Äôll bet they wouldn‚Äôt, and that if any debate moderator were to pose the question, they too would tell us, in so many words, that the only way to keep us safe from terrorist attacks is to empower Big Brother to the max.

Sometimes its not what you say, but to whom¬†and how you¬†say it. And in the post-digital-explosion world the possibilities are utterly transformed.

Consider what happened with James Karl Buck.

On April 10th he was arrested in Egypt while covering an anti-government protest.¬† As he was being led off to¬† an uncertain future he sent a single word message to the Twitter.com blogging site.¬† In case you’ve¬†never looked at it, in their own words “Twitter is a service for friends, family, and co‚Äìworkers to communicate and stay connected through the exchange of quick, frequent answers to one simple question:¬†¬† What are you doing?”
When I first encountered Twitter I had two conflicting reactions.¬† The first was “you’ve got to be kidding, will anybody actually do this?”¬† The second was “why not?”¬† After all, I had witnessed inumerable¬†cell phone conversations that had no more content than the central twitter question “what are you doing.”
¬†¬†
But I digress.
¬†¬†
Jim Buck sent his single word message “ARRESTED” to his friends¬†via Twitter, and it was enough to make all the¬†difference.¬†¬†You can read the whole story on the web here.
¬†
From the Blown To Bits perspective this is a classic example of the fundamental transformation that the digital explosion¬†has wrought.¬† Information moves everywhere.¬† The degree of connectivity, the ability to convey information¬†broadly, is staggeringly different from what was available in the pre-explosion era.¬† Twitter didn’t get Jim¬†out of jail, the collective efforts of his friends did.¬† But in the absence of the web, his fate could well have¬†been quite different.¬†
¬†
Had the designers of the Internet not created a system that¬†could be adapted for use in ways that were not imagined by those very creators, had they not produced, in Jonathan Zittrain’s lexicon, a “generative¬†technology” James Buck might well be in an Egpytian jail today.
¬†¬†¬†¬†¬†¬†¬†

It‚Äôs been a long time since I‚Äôve been at a protest. I went to a few against the Vietnam War in 1969. I‚Äôve observed some protests (hey, I was a dean). I‚Äôve negotiated with protesters and counter-protesters (once managed to keep the pro-Israel and pro-Palestine students respectfully apart at opposite ends of Harvard Yard). I‚Äôve even been protested against. But I‚Äôve never suggested organizing one.

There‚Äôs always a first time.

J. K. Rowling will be Harvard‚Äôs Commencement speaker on June 5. She‚Äôll get an honorary degree in the morning and be the principal speaker at the afternoon exercises.

So? Everyone loves her, don‚Äôt they?

Rowling aggressively protects the Harry Potter books, which is certainly her right. No reason why she has to put out a Creative Commons version (as we will do, once Blown to Bits has been in print for a while).

¬†But she is suing a librarian named Steven Vander Ark to prevent him from publishing a Harry Potter lexicon. Her claim that putting out the lexicon will ‚Äúopen the floodgates for anyone to lift an author’s work and present it as their own‚Äù is absurd. There are countless examples of published indexes and concordances. They do the authors no harm and probably do them good. I could not have read Joyce without my handy Skeleton Key to Finnegan‚Äôs Wake.¬†Ironically, Rowling used to think that Vander Ark‚Äôs site was swell. Probably she‚Äôs now decided to write a lexicon of her own and doesn‚Äôt want the competition.¬†Copyright law is out of balance, as we explain in Blown to Bits. The imbalance often takes the form, as it does in this case, of heavyweights using the law to sit on the little guys. But the analogies apply at all levels. Farhad Manjoo has blogged about the Harry Potter lexicon, pointing out that taking Rowling‚Äôs argument to its logical conclusion would prevent Google from indexing the Web and making advertising money from the index, unless it got explicit permission from each web site.¬†So I‚Äôm in favor of protesting Rowling‚Äôs anticompetitive abuse of copyright law. Unfortunately, your authors can‚Äôt organize the protest, since two of them will be busy in their official roles organizing Commencement itself!¬†

Yesterday, Microsoft delivered the coup de gr?¢ce to MSN Music DRM. May it rest in peace.

Digital Rights Management (DRM) is the practice of distributing digital content together with control programs that restrict how it can be used. For example, a publisher can distribute music that can played only a designated number of times, or only on designated computers, or that must periodically ‚Äúphone home‚Äù over the Internet for reauthorization and relicensing. Content providers, notably the recording industry, embraced DRM as a way to cope with unauthorized downloading and file sharing.

Blown to Bits argues that DRM schemes are ineffective and anti-competitive and in the long run a bad deal for publishers and customers alike. If you buy music that must contact a license server before it can be played, then the music isn’t really yours ‚Äì if the license server goes away, ‚Äúyour music‚Äù becomes a useless wad of encrypted bits.

That drawback of DRM was driven home yesterday when Microsoft announced that it would be shutting down the license servers for MSN Music, a DRM scheme introduced in 2004 to the fanfare announcement that this would ‚Äúfinally bring digital music to the masses.‚Äù Music tracks purchased from the MSN Music store can be played only on computers licensed for that track. You can have at most five computers licensed for a track at once. If you get a sixth computer, you must contact the MSN server to de-authorize one of the five and license the new one. A ‚Äúnew computer‚Äù here means not only a new physical machine: if you upgrade your operating system, you need new licenses for all the music tracks.

Microsoft stopped selling new MSN Music in 2006, when it introduced Zune Marketplace. In an email yesterday from the General Manager of MSN Entertainment Services, purchasers of MSN Music tracks learned that the license server will be shutting down on August 31. After then they’ll be stuck: no more licensing new machines ‚Äì replace a computer, or upgrade an operating system after the summer, and their music can’t be transferred to it.

The anti-consumer nature of DRM is becoming increasingly apparent, and publishers are starting to move away from it. And yet, as described in the book, the desire to shore up DRM gave birth to the innovation-hostile anticircumvention provisions of the Digital Millennium Copyright Act, and new DRM-inspired legislative proposals are still very much alive on Capitol Hill. What can consumers do when the content they purchased phones home, but no one answers? Perhaps they should have it phone Congress.

Googleis the #1 brand in the world, according a Millward Brown report, Top 100 Most Powerful Brands ‚Äò08. The ranking formula multiplies ‚ÄúIntangible earnings‚Äù by ‚ÄúPortion of intangible earnings attributable to brand‚Äù by ‚ÄúBrand earnings multiple.‚Äù Others will have to judge whether these three factors are the right ones, whether their values can be determined meaningfully, and whether that is the right way to combine them. I am a bit skeptical. The #2 brand? GE. #3 is Microsoft, #4 is Coca-Cola, and #5 is China Mobile.

If Google is the #1 brand‚Äîand that does feel right, whatever calculation produced the result‚Äîthe implication is astonishing. The top brand in the world is one that almost no one had heard of a decade ago. The earliest reference I could find to ‚ÄúGoogle‚Äù in a search of newspaper archives was a May 31, 1998 column by Bradley Peniston in the Annapolis, MD Capital, entitled ‚ÄúYahoo for new search engine.‚Äù (That‚Äôs leaving out all the articles about the Barney Google comic strip.) A week later, in his next column, Peniston had to explain where to find Google‚Äîon the Stanford web site!

There is nothing really surprising about this. For years people have been worried about the mean, nasty stuff young people say about each other on Facebook, in MySpace, and on blogs. Adults are just catching up to youth culture. It‚Äôs also true that teenagers were walking around with MP3 players and earbuds a few years before middle-aged men with briefcases were doing it. One of the women quoted isn‚Äôt worried about the impact on her children for exactly that reason. As the Times reports, ‚ÄúIt is a generational issue ‚Ä¶. We think it will be a big deal, but it won‚Äôt be to them. By the time they are old enough to read it, they will have spent their entire life online. It will be like, ‚ÄòOh yeah, I expected that.‚Äô ‚Äù

Yet I find the article interesting in several ways, beyond the head-shaking instinct. Why is it apparently mostly women doing this? Is it really a healthy form of catharsis, as a number of those posting comments have suggested?But perhaps most surprising is the statement that 10% of adult Internet users have created their own blogs. I tracked down that number, and it is understated: The actual percentage, from this table, is 12%. Is that level sustainable? The same report says that only 39% of adult Internet users read other people‚Äôs blogs! One imagines a strange world in which millions of people are writing blogs about intimate personal matters, and almost no one is reading most of them.

As everyone keeps telling us over and over, we should never send sensitive information to an email address, or enter it into a web page, unless we’re confident we know where it’s going. Tricking people with bogus network addresses is called phishing. It’s an online fraud that goes back to the pre-Web days of America On Line, but its prevalence has skyrocketed over past decade because it’s so easy to accomplish with today’s web browsers. A text link you see on a web page might read ‚Äúwww.bankofamerica.com,‚Äù but if you were to examine the program code, you’d see that it’s not Bank of America’s web site you visit when you click on the link, but some other site, perhaps located in Eastern Europe, which looks just like the Bank of America site. Enter your account number and password, and they are dutifully stashed away as loot for identity thieves.

It’s a well-known trick, and even people who should know better get fooled all the time. For the past several several months, a large fraction of the MIT community has been receiving email messages from ‚Äúthe MIT network administrators‚Äù telling them that their MIT email accounts are about to expire and they need to re-register by emailing their password to an address shown in the message. You’d think MIT people wouldn’t fall for this, but it happens. The real MIT network administrators watch for email outgoing to the bogus address and contact the hapless victims, a group that’s included a few faculty members in the past month.

When everything is bits, frauds easily cross from one domain to another. In a variant of phishing known as vishing (‚Äúvoice phishing‚Äù) the perpetrator uses bogus caller ID information to trick victims into thinking they are being called by a bank, mimics the bank’s automated answering system, and asks for credit card information to be entered by touch tone. Spoofing the caller ID information ‚Äì making a fake phone number appear on recipient’s caller ID display ‚Äì is simple thanks to Voice over IP and the open Internet architecture that lets anyone create phone applications. There’s phone software widely available that includes spoofing as a ‚Äúfeature,‚Äù and even services like www.spoofcard.com that will sell you an account from which you can make spoofed phone calls: merely type in the called ID number you’d like your recipient to see, and call.

Just today, I encountered a variant of this trick I hadn’t seen before ‚Äì a cross-domain phishing hoax (phvishing ?) that almost fooled me. It came in the guise of an official looking email from Bank of America informing me that I needed to call them ‚Äúregarding recent activity on your account.‚Äù The email included the usual strong warnings against replying by sending account information by email. No bogus phishing links on this web page: all the links really did go to the BofA web site. But phoning the 800 number reached an official sounding automated answering system that asked me to punch in my account number, expiration date, and credit card validation code. It then told me that my card information had ‚Äúalready been registered‚Äù and everything was OK. Luckily, the email spoof was poorly done, and a close look at the return address showed that the mail was bogus, so I knew enough not to enter my real credit card data. It turns out that this hoax has been around since at least 2006; I just hadn’t encountered it before.

I doubt that I would have been fooled for an instant had this been a pure email hoax or a pure phone hoax, but the combination of the two was something I hadn’t expected. We all know to be cautious about internet messaging, but fewer of us feel are as suspicious about phone numbers, especially when we’re the ones doing the calling, as with the phony Bank of America number. The root of this difference in attitude is that the Internet (as described in Blown to Bits) has grown up as an open architecture, while the phone system has not. As the communication systems converge, they produce hybrids to which our instincts and attitudes are not attuned. Where this will end up, we don’t know. But of this we can be certain: digital convergence will continue, and so will human fraud.

Law School to hear Jonathan Zittrain speak about his new book when I ran into some of the loudest music I had ever heard. Wu-Tang Clan was performing on the steps of Memorial Church as part of Yardfest ‚Äì a free concert for undergraduates. ¬†Since my kids are in their mid thirties, Wu-Tang was not part of my musical experience. ¬†They did, however, draw a big crowd.

Now when I was in school, a crowd this big would almost certainly have been for one of two things: a demonstration against the war in

Vietnam, or a demonstration in support of civil rights. ¬†It was the sixties and those were the things that dominated campus life. ¬†Either would have drawn a crowd, and, it‚Äôs highly likely that a couple of folks from the FBI with cameras would be there as well. J. Edgar Hoover liked to know who was attending those sorts of things.

There were no FBI folks at Wu-Tang yesterday.¬† That wasn‚Äôt because who attends a rap concert doesn‚Äôt matter to the FBI, it‚Äôs because pretty much everyone there had a cell phone in their pocket, and that‚Äôs all it takes to place you somewhere with decent accuracy.

Did you go to the Obama rally last October?¬†¬† We can always ask Verizon.

All the technology is in place to do just that. ¬†The phone company has to know where you are to route calls to you, and bits are so cheap these days that there‚Äôs no reason to throw them away, no reason not to keep the position history around.

I‚Äôm not saying that it‚Äôs all happening now, just that it can. ¬†There is, however, plenty of evidence.¬† Consider Google maps for mobile‚Äôs ability to show where you are. (http://www.google.com/mobile/gmm/mylocation/index.html). ¬†No need even for GPS.¬† And if Google can get this information in real time, who else can? This is one more example of intended consequences of technologies, one more example of the good side / dark side of bits.¬† If you want to be able to ask your Google to find the nearest Chinese restaurant, then the capability to track your location must exist. And if it exists, we can save it. And if we can save it ‚Ä¶.you get the picture.

Business Week has a story that is scary and maybe reassuring at the same time. Perhaps it will be reassuring to people who have opened an email or clicked on an attachment against their better judgment that people who handle sensitive military secrets are tempted to do the same.

The spam and phishing attacks I receive are pretty lame, like this one I got today:

Dear HARVARD.EDU Subscriber,

To verify your HARVARD.EDU account, you must reply to this email immediately and enter your password here (*********)

Failure to do this will immediately render your email address deactivated from our database.

‚Ä¶

Thank you for using HARVARD.EDU !

THE HARVARD.EDU TEAM

The reply-to address is a mysterious gmail account, but if that weren‚Äôt bad enough, the thank-you from HARVARD.EDU is a dead giveaway. The ones that Booz Allen received were of much higher quality. They appeared to come from a real person in the office of the Secretary of the ¬†Air Force, an individual with responsibility for sales of aircraft to foreign governments. And that is what the body of the email was about. But it was malware‚Äìwired to install software in the recipient‚Äôs computer that would log keystrokes and screenshots and send them to ‚Ä¶ China.¬†We report ¬†in Blown to Bits that after the major communications trunks to the Chinese mainland were severed by an earthquake, the volume of spam reaching the US dipped for a few days.

Costly as spam may be, the problem the Business Week article reports is potentially more serious.¬†Effective breaches of the security of military and intelligence computer systems endanger U.S. security, and also undermine public confidence in the Internet itself.So the government is responding. According to the story, ‚ÄúBy June all government agencies must cut the number of communication channels, or ports, through which their networks connect to the Internet from more than 4,000 to fewer than 100. On Apr. 8, Homeland Security Dept. Secretary Michael Chertoff called the President‚Äôs order a cyber security ‚ÄòManhattan Project.‚Äô‚Äù

This is what Jonathan Zittrain is worried about, in his new book, The Future of the Internet‚ÄìAnd How to Stop It‚Äìthat the wide open Internet with which we are familiar will prove to be more trouble than it is worth, and we will, for our own good, opt for a safer network to which Chinese spies, and probably also American teenagers, cannot get connected.¬†¬†¬†The¬†Boston area launch of Zittrain‚Äôs book will be at Langdell Hall at Harvard at 6pm this Friday, April 18. It‚Äôs a great book and should be a great event!